2569607db6216e47cf11aa407a874daaab81dce34e482e205e6f5654be2159d5

Analysis

max time kernel
97s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94f5ef770d21e0ecb209d66c657efc70N.exe
Size

1.7MB
MD5

94f5ef770d21e0ecb209d66c657efc70
SHA1

9f3c5f8d9d40226acd2968ff05e6480ecc983c0c
SHA256

2569607db6216e47cf11aa407a874daaab81dce34e482e205e6f5654be2159d5
SHA512

5114a6217afbcdb49a961bb245a33e6b01bacab04b0d657160ce39aa458e480ada24d8fd54851077149c7455886f80ba64cb76f14972376a9bc69333cc41f175
SSDEEP

24576:Z7FUDowAyrTVE3U5F/Ba++KU4+di+2a7tqDr2n/h2jyWAkzEyeCEnQjBOgVPf6:ZBuZrEU3+Ziytqn2nOyLWIaBOuf

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3544	94f5ef770d21e0ecb209d66c657efc70N.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94f5ef770d21e0ecb209d66c657efc70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94f5ef770d21e0ecb209d66c657efc70N.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 3544	744	94f5ef770d21e0ecb209d66c657efc70N.exe	85
PID 744 wrote to memory of 3544	744	94f5ef770d21e0ecb209d66c657efc70N.exe	85
PID 744 wrote to memory of 3544	744	94f5ef770d21e0ecb209d66c657efc70N.exe	85

C:\Users\Admin\AppData\Local\Temp\94f5ef770d21e0ecb209d66c657efc70N.exe
"C:\Users\Admin\AppData\Local\Temp\94f5ef770d21e0ecb209d66c657efc70N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:744
- C:\Users\Admin\AppData\Local\Temp\is-MGKV3.tmp\94f5ef770d21e0ecb209d66c657efc70N.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-MGKV3.tmp\94f5ef770d21e0ecb209d66c657efc70N.tmp" /SL5="$601BA,837598,832512,C:\Users\Admin\AppData\Local\Temp\94f5ef770d21e0ecb209d66c657efc70N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-MGKV3.tmp\94f5ef770d21e0ecb209d66c657efc70N.tmp

Filesize
3.1MB

MD5
64727e8b0f2d93006f31c9a322ef2ead

SHA1
ea0c364590205beb70cc8500275d3f417f8a2ada

SHA256
dd433c8dfa3d504c0f2da83fa33678435866321badd90dd8461933eb2a6aa0b6

SHA512
ed85734714dd8284508347449405ac0f680237003766ec51616f63c31174559c9c2935c5944328b709eaa068c19aad6e1c10d26ac8eba9158e1ddd7b9118760c

Download Submit
memory/744-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/744-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/744-8-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/744-14-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3544-6-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3544-10-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/3544-12-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download